pnpm: Path traversal via malicious bin names in global installs

Manifest bin object keys such as empty string, ".", and ".." were not rejected by pnpm's bin-name guard, allowing global package operations to delete outside the global bin directory via path traversal.

Users of pnpm who install malicious packages globally; the vulnerability affects global remove, update, and add-replacement flows.

Review the shared patch branch and apply the fix to reject reserved bin names; monitor for the patched release.